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DEPARTMENT OF DEFENSE 

4800 MARK CENTER DRIVE 
ALEXANDRIA, VIRGINIA 22350-1500 


September 27, 2019 
Ref: FOIA-2015-00904 


SENT VIA EMAIL TO: 21239-85995477@requests.muckrock.com 

Mr. Shawn Musgrave 
DEPT MR 21239 
41 lA Highland Avenue 
Somerville, MA 02144-2516 

Dear Mr. Musgrave: 

This responds to your Freedom of Information Act (FOIA) request for a copy of report 
DODIG-2015-168, (U) Air Force Commands Need to Improve Logical and Physical Security 
Safeguards That Protect SIPRNet Access Points. We received your request on September 14, 
2015, and assigned it case number FOIA-2015-00904. 

The Office of the Deputy Inspector General for Audit conducted a search and found the 
enclosed record responsive to your request. In coordination with the Department of the Air 
Force, we determined that redacted portions are exempt from release pursuant to the following 
FOIA exemptions: 

• 5 U.S.C. § 552 (b)(1), which pertains to infonnation that is currently and properly 
classified pursuant to Executive Order 13526, Section 1.4(g), as it relates to 
vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, 
or protection services relating to the national security; 

• 5 U.S.C. § 552 (b)(3), which pertains to infonnation exempted from release by 
statute, in this instance 10 U.S.C. § 130e - Department of Defense critical 
infrastructure security information (DCRIT). Specifically, portions redacted under 
this statute contain sensitive but unclassified information related to the Department of 
Defense Information Network, which has been deemed to qualify as DCRIT by the 
Chief Management Officer of the Department of Defense; 

• 5 U.S.C. § 552 (b)(5), which pertains to certain inter-and intra-agency 
communications protected by the deliberative process privilege; 

• 5 U.S.C. § 552 (b)(6), which pertains to infonnation, the release of which would 
constitute a clearly unwarranted invasion of personal privacy; and 

• 5 U.S.C. § 552 (b)(7)(E), which pertains to records or information compiled for law 
enforcement purposes, the release of which would disclose techniques and procedures 
for law enforcement investigations or prosecutions. 
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If you consider this an adverse determination, you may submit an appeal. Your appeal, if 
any, must be postmarked within 90 days of the date of this letter, clearly identify the 
determination that you would like to appeal, and reference to the FOIA case number above. 

Send your appeal to the Department of Defense, Office of Inspector General, ATTN: FOIA 
Appellate Authority, Suite 10B24, 4800 Mark Center Drive, Alexandria, VA 22350-1500, or via 
facsimile to 571-372-7498. For more information on appellate matters and administrative appeal 
procedures, please refer to 32 C.F.R. Sec. 286.9(e) and 286.11(a). 

You may contact our FOIA Public Liaison at FOIAPublicLiaison@dodig.mil or by 
calling 703-604-9785, for any further assistance with your request. Additionally, you may 
contact the Office of Government Information Services (OGIS) at the National Archives and 
Records Administration to inquire about the FOIA mediation services they offer. The contact 
information for OGIS is as follows: Office of Government Information Services, National 
Archives and Records Administration, 8601 Adelphi Road-OGIS, College Park, Maryland 
20740-6001, e-mail at ogis@nara.gov : telephone at 202-741-5770; toll free at 1-877-684-6448; 
or facsimile at 202-741-5769. However, OGIS does not have the authority to mediate requests 
made under the Privacy Act of 1974 (request to access one’s own records). 

If you have any questions regarding this matter, please contact this office at 
703-604-9775 or via email at foiarequests@dodig.mil . 


Sincerely, 



Searle Slutzkin 
Division Chief 

FOIA, Privacy and Civil Liberties Office 


Enclosure(s): 
As stated 
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Mission 

Our mission is to provide independent, relevant, and timely oversight 
of the Department of Defense that supports the warfighter; promotes 
accountability, integrity, and efficiency; advises the Secretary of 
Defense and Congress; and informs the public. 


Vision 

Our vision is to be a model oversight organization in the Federal 
Government by leading change, speaking truth, and promoting 
excellence—a diverse organization, working together as one 
professional team, recognized as leaders in our field. 



Fraud, Waste & Abuse 

HOTLINE 

Department of Defense 

dodig.mil/hotline 1800.424.9098 


For more information about whistleblower protection, please see the inside back cover. 
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Results in Brief 


(U) Air Force Commands Need to Improve Logical and Physical 
Security Safeguards That Protect SIPRNet Access Points 


September 3,2015 

(U) Objective 

(U] Our audit objective was to determine 
whether the Air Force was effectively 
protecting its Secret Internet Protocol 
Router Network (SIPRNet) access 
points. Specifically, we reviewed the 
security safeguards that protect 
SIPRNet access points a 


(U) Findings (conPd) 


1(10 tl) l-Hvl. (bM') UtVSl 5: I ute (hi i7)|L) 


rhM O irUJSt ^ (bn7}ll I 
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_in accordance with applicable DoD and 

Air Force guidance. This occurred because 
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(U) Findings 


among other findings, we found that 




(U) Management Actions Taken 

^ During the audit, 
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In addition, 


(h|{|>, I 4lgK(h)(7Kn» 


(to Ml. I nul (hM.M. 10 use ^ I,Vic. (I»)(7 Kl) 


This occurred because 
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Results in Brief 

(U) Air Force Commands Need to Improve Logical and Physical 
Security Safeguards That Protect SIPRNet Access Points 


(U) Management Comments and 
Our Response 


(U) The Commander, U.S. Cyber Command; Director, 
Defense Information Systems Agency; and 


Commander, 
the recommendations. 


addressed the specifics of 


(U) Comments from the Air Force Chief, Information 
Dominance CIO; Commander,| 
and Commander,! 
the recommendations. We request they provide additional 
comments in response to the final report. In addition, we 
received the Administrative Assistant to the Secretary of 


partially addressed 


(UJ the Air Force and DoD CIO comments on the draft 
report too late to include them in the final report. 
Therefore, if the Administrative Assistant to the Secretary 
of the Air Force and DoD CIO do not submit additional 
comments, we will consider those comments as the 
management response to the final report. 


(U) The Under Secretary of Defense for Intelligence: 
Commander, Air Force Materiel Command; Commander, 
Air Force Space Command; Commander, Air Force Reserve 
Command ; Commander, 24th Air Force; and Commander, 
did not provide comments to the draft report. 
We request that they respond to the final report. Please 
see the Recommendations Table on the next page. 
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(U) Recommendations Table 



Management 

Recommendations 
Requiring Comment 

No Additional 
Comments Required 

Under Secretary of Defense for Intelligence 

A.l 


Administrative Assistant to the Secretary of the 

Air Force 

B.l 


Commander, Air Force Materiel Command 

A.2 


Commander, U.S. Cyber Command 



Commander, Air Force Space Command 

A.4 


Department of Defense Chief Information Officer 

A.l 


Director, Defense Information Systems Agency 


A.3 

Commander, Air Force Reserve Command 

A.2 


Air Force Chief, Information Dominance Chief 
Information Officer 

A.S.a, A.S.b, B.2 


Commander, 24th Air Force 

A.6 


Commander, 



A.7, B.3 

Commander, 


A.S.a, A.S.b, B.4.d 

A.8.C, B.4.a, B.4.b, B.4.C 

Commander, 


B.5 

A.9.a, A.9.b, A.9.C 

Commander, 


A.6, A.lO.a, A.lO.b, A.lO.c, 
A.lO.d 



(U) Please provide Management Comments by October 5, 2015. 
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September 3, 2015 


MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE 
COMMANDER, U.S. CYBER COMMAND 
DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER 
ASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL 
MANAGEMENT AND COMPTROLLER) 


SUBJECT: Air Force Commands Need to Improve Logical and Physical Controls That 
Protect SIPRNet Access Points (Report No. DODIG-2015-168) 

(S) We are providing this final report for your review and comment. We considered management 
comments on a draft of this report when preparing the final report. The Air Force commands 



kliKlI I Mv). (I'Mtt J I tiio (|||(7)|L| 



In addition, the Air Force commands 

complete SIPRNet access 
forms; and provide North Atlantic Treaty Organization briefings. We conducted this audit in 
accordance with generally accepted government auditing standards. 


(jFOUQ) DoD Instruction 7650.03 requires that all recommendations be resolved promptly. The 
Commander, U.S. Cyber Command; Director, Defense Information Systems Agency; and 
Commander, addressed the specifics of the recommendations. Comments 

from the Air Force Chief, Information Dominance Chief Information Officer partially addressed 
Recommendation A.S.a and did not address Recommendations A.5.b and B.2. Therefore, we request 
additional comments on these recommendations by October 5,2015. Comments from the 
Commander,^^^^^^^^^^^^^! did not address Recommendations A.S.a, A.S.b, and B.4.d. 
Therefore, we request additional comments on these recommendations by October 5,2015. 
Comments from the Commander,did not address Recommendation B.5. 
Therefore, we request additional comments on these recommendations by October 5,2015, We 
received the Administrative Assistant to the Secretary of the Air Force and DoD Chief Information 
Officer comments on the draft report too late to include them in the final report. Therefore, if the 
Administrative Assistant to the Secretary of the Air Force and DoD Chief Information Officer do not 
submit additional comments, we will consider those comments as the management response to the 
final report. 


(FOUO) The Under Secretary of Defense for Intelligence; Commander, Air Force Materiel Command; 
Commander, Air Force Space Command; Commander, Air Force Reserve Command; Commander, 
24th Air Force; and Commander,^^^^^^^^^^^^^^m^^| did not provide comments, 
and therefore, may not have taken any actions to correct or mitigate vulnerabilities identified in the 
report. The vulnerabilities identified 
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It is required that these addressees respond to the 
recommendations in the final report with the actions taken to resolve these vulnerabilities by 
October 5,2015. 

(U) Please send a PDF file containing your comments and 

Copies of your comments must have the actual signature of the 
authorizing official for your organization. We cannot accept the /Signed/symbol in place of the 
actual signature. If you arrange to send classified documents electronically, you must send them 
over the SIPRNet. 

(U) We appreciate the courtesies extended to the staff. Please direct questions to 



or 

(I’H'O 1 






Carol Gorman 

Assistant Inspector General 

Readiness and Cyber Operations 
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Introduclion 


(U) Introduction 
(U) Objective 

(U] Our audit objective was to determine whether the Air Force was effectively 
protecting its Secret Internet Protocol Router Network (SIPRNet) access points. 
Specifically, we reviewed the security safeguards that protected the SIPRNet access 
points at selected locations. This is the second in a series of audits to review the 
safeguards implemented by the Military Departments to protect SIPRNet access points. 
See Appendix A for our scope and methodology. 

(U) Background 

(FOUO) SIPRNet access points are all possible physical or logical connections where a 
user can access SIPRNet. Physical safeguards such as locks, guards, and security 
containers deter or delay adversaries' access to the network. Logical safeguards are 
system-based mechanisms such as firewalls, permission settings, usernames and 
passwords, and SIPRNet tokens that are used to designate who or what has access to a 
specific system or function. Air Force Space Command manages the Air Force SIPRNet, 
and 24th Air Force operates the network. 

(FOUO) All Air Force bases connect to SIPRNet throuetJHBIaccess points called 
Gateways.' ||^|||Gateways are located in the continental United States and^^ are 
outside the continental United States. The Gateways control all network traffic in and 
out of the Air Force SIPRNet.2 The data management responsibilities for SIPRNet are 
decentralized and divided among multiple squadrons that are subordinate to 



(U) ^ Gateways are the entry and exit points for data to and from the SIPRNet. 

(U) ^ The SIPRNet connects the Air Force classified enclaves to the Defense Information Systems Network. 

(U) ’ Firewalls refer to hardware and software that limits access between networks or systems (or both) in accordance with 
a specific security policy. 

(U) Network defense devices include equipment used to monitor, detect, analyze, and respond and restore activities. 

SECRET 
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Introduction 


[FOUQ] The Gateways provide SIPRNet connection to the enclaves,^ which support 
approximately 75,000 SIPRNet users. Figure 1 shows the flow of data between the 
access points, enclaves, and Gateways, and the squadrons that manage the SIPRNet. 



(U) Figure 1: Air Force SIPRNet Data Flow and Data Management Responsibilities 


|ll»|7l|l I 


(fOUO) 


I(I>H7|II ) 




(U) * Enclaves are a collection of information systems connected by one or more internal networks under the control of a 
single authority and security policy. 

(U) ® The perimeter of a network encompasses all network components that are to be accredited by the designated 
accrediting authority. 


(U) ’ Host Based Security System is an application that monitors, detects, and cou 


(U) * The communications squadr 




responsible for each base we reviewed were 
ommunications Squadron at|U|||im, and 



,ainst known cyber threats, 
ommunications Squadron at 
ommunications Squadron at 


GCCRET 


RcpoiT No. DODIG-201.S-168 | 2 












SECRET 


Introduction 

(FQUO 3 We reviewed physical and logical safeguards for SIPRNet access points at the 
and three bases that are supported by the 

and 

(U) Vulnerability Categories 

(U) DoD guidance^ requires all vulnerabilities identified during Information 
Assurance (lA) control validation^® be corrected or mitigated or that the risk be 
accepted. In addition, DoD Components” are required to report vulnerabilities on the 
Information Technology (IT) Security Plan of Action and Milestones (POA&M) before 
they grant an authorization to operate (AT 0 ).i 2 The IT Security POA&M assists agencies 
to identify, assess, prioritize, and monitor the DoD network's vulnerabilities and should 
include the actions performed to correct or mitigate the vulnerabilities. The 
IT Security POA&M should include the vulnerability and an assigned vulnerability 
severity category (CAT). 

(U) CAT I vulnerabilities are assigned to findings that allow primary security 
protections to be bypassed, which allow immediate access by unauthorized personnel. 
Before an ATO is granted, all CAT I vulnerabilities are required to be corrected. For new 
CAT I vulnerabilities, the system can continue to operate on the network only if the 
designated accrediting authority certifies in writing that continued system operation is 
critical to mission accomplishment and the DoD Component Chief Information 
Officer (CIO) authorizes the system to continue to operate. Otherwise, the system must 
be disconnected from the SIPRNet. 


(U) ® DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP)," 

November 28, 2007. The authorizations to operate were 

issued under DoD Information Assurance Certification and Accreditation Process for up to three years and are 
applicable until recertification. 

(U) Validation confirms or establishes by testing, evaluation, examination, investigation, or competent evidence that a 
DoD information system assigned information assurance controls are implemented correctly. 

(U) ‘‘ DoD Components include Combatant Commands, Services, Agencies, and Field Activities. 

(U) Authorization to operate is an authorization granted by a designated accrediting authority for a DoO information 
system to process, store, or transmit information; an authorization to operate indicates a DoD information system 
has adequately implemented all assigned lA controls to the point where residual risk is acceptable to the designated 
accrediting authority. 
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(U) Review of Internal Controls 

DoD Instruction 5010.40, "Managers’ Internal Control Program [MICP) Procedures," 
May 30, 2013, requires DoD organizations to establish a program to review, assess, and 
report on the effectiveness of internal controls. We identified internal control 
weaknesses for 24th Air Force and^^^^H. Specifically, 


I 1(^1. II*) I.'). Ill L'S( S 
l-»iie.(hH7Hn) 


13 We will provide a copy of the report to 
the senior official responsible for internal controls at 24th Air Force and^^^^l. 


^ We also identified internal control weaknesses for 

. Specifically, 
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(U) Finding A 


(FOUO) 
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The Air Forcej 
Specifically: 



Communications Squadron (CS), 




(U) Port security solutions are any method used to electronically lock network ports so that only approved devices can use 
the port. 


(U) ‘^Removable media are items such as compact discs, digital videodisc, secure digital cards, tape, flash memory data 
storage devices, diskettes, multi-media cards, and external hard drives. 


For this report,! 
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were issued under DIACAP for 


(U) Boundary protection is monitoring and controlling communications at the external boundary of an information system 
to prevent and detect malicious and other unauthorized communications. 

(U) ^^The authorizations to operate for 

up to three years and are applicable until recertification. 

(U) For the DIACAP, see Appendix B. 

(U) ^®The Air Force Space Command submits Air Force ATOs to the Defense information Systems Agency for approvals to 
connect to the Defense information Systems Network. 
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Finding A 





After our site visit, 
|. The Commander, 

Air Force Materiel Command and Commander, Air Force Reserve Command should 
review the bases under their command and implement a 
if needed. 


ihM7)|l ) 


ih\ 


(rouo) 



(U) ” Depending on where the Air Force ATOs are in the certification process will determine if the DIACAP or Risk 
Management Framework for DoD Information Technology applies. The Transition from the DIACAP to the Risk 
Management Framework for DoD Information Technology must not exceed the system re-authorization timeline. 

(U) Defense Information Systems Agency, "Access Control in Support of Information Systems," Security Technical 
Implementation Guide, Version 2, Release 3, October 29,2010. 

(U) ^^The Category I vulnerabilities were identified on the November 2014, December 2014, January 2015, February 2015, 
and March 2015 Assured Compliance Assessment Solution scans. 

(U) ^Assured Compliance Assessment Solution vulnerability scans. 
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(U) Note: The monthly scan results are located in Appendix C 



(U) DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP); 
November 28,2007. 

(U) Internet Protocol addresses are identifiers that are assigned to equipment connected to the network. 
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(U) ”The authorizations to operate for 

up to three years and are applicable until recertification 
(U) reports to Air Combat Command and thelH^Ls reports to Air Force Materiel Command. 


were issued under DIACAP for 
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(U) ^®We used the control test table developed by DoD OIG Quantitative Methods Division and published in the Council of 
the Inspectors General on Integrity and Efficiency, "Journal of Public Inquiry," 2012-2013 when performing the 
control tests. 

U.S. Cyber Command, Task Order 14-0185, "Insider Threat Mitigation," July 17, 2014 and Defense Information 
Systems Agency Program Executive Office - Mission Assurance Host Based Security System, "Device Control 
Module Guidance for Task Order 14-0185," October 28,2014. 
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(FOUO) 
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users with SIPRNet access 

In addition, while performing other tests of controls, we identified users 

1. See Appendix D for our testing results. 


(I'M '). H> L'SC i; 



(FOUO) This occurred because 
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The Commander, 
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_according to DoD and Air Force 

guidance, cannot be developed then the Commander, 

should coordinate with base CSs and any other necessary parties to develop a 

The Commander, 


(l>» (*} hi US( ^ Mil' (I*) (?i(l J 




in accordance with DoD and Air Force guidance. 


(U) ^Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6510.01F, "Information Assurance (lA) and Support to 
Computer Network Defense (CND)," February 9, 2011. 

(U) Air Force Manual 33-282, "Computer Security," March 27, 2012; and Technical Manual Methods and Procedures, 
TO 00-33B-5004, "Access Control for Information Systems," December 19,2012. 

(U) Active Directory provides a method to store data and provide data to network users and administrators. 
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SAF/CIO A6 

should review the deficiencies identified, require a thorough review of the Air Force 
SIPRNet security safeguards performed at each command, and apply corrective actions 


as necessary. 


(U) Recommendations, Management Comments, 
and Our Response 

(U) Recommendation A,1 

(FOUO) We recommend that the Under Secretary of Defense for Intelligence, the 
Commander, U.S. Cyber Command, and the DoD Chief Information Officer, issue 
clarifying guidance for the Office of the Secretary of Defense Memorandum 
“Insider Threat Mitigation" to instruct Military Services and agencies on the 
proper procedures to 


(U) U.S. Cyber Command Comments 

(FOUO) The U.S. Cyber Command, Deputy Director, Current Operations, agreed, stating 
that the existing Defense Information Systems Agency Device Control Module guidance 
will be updated and released as of August 31,2015. 


This will reinforce supporting documentation such as the 
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[FOUO ' ) February 11, 2014, White House memorandum "Near-Term Measures to 
Reduce the Risk of High Impact Unauthorized Disclosures" and the July 2,2014, Office of 
the Secretary of Defense memorandum "Mitigations for Insider Threat and High Impact 
Unauthorized Disclosures." 

(U) Our Response 

(U) Comments from the Deputy Director addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


(U) DoD Chief Information Officer Comments 

(U) We received the DoD CIO comments on the draft report too late to include them in 
the final report. Therefore, if the DoD CIO does not submit additional comments, we 
will consider those comments as the management response to the final report. 

(U) Management Comments Required 

(U) The Under Secretary of Defense for Intelligence did not provide comments to the 
draft report. Therefore, we request the Under Secretary provide comments in response 
to the final report. 


(U) Recommendation A.2 


^ We recommend that the Commander, Air Force Materiel Command, and the 
Commander, Air Force Reserve command,^^^D^^^^^^^^^^^^^^^H 

in accordance with Defense Information Systems Agency, "Access Control in 
Support of Information Systems," Security Technical Implementation Guide, 
Version 2, Release 3, October 29,2010. 


(U) Management Comments Required 

(U) The Commander, Air Force Materiel Command and Commander, Air Force Reserve 
Command did not provide comments to the draft report. Therefore, we request the 
Commanders provide comments in response to the final report. 

(U) Recommendation A.3 

fSj We recommend that the Commander, U.S. Cyber Command and Director, 
Defense Information Systems Agency, coordinate to issue clarifying guidance for 
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the Task Order 14-0185, "Insider Threat Mitigation,” July 17,2014, to instruct 
DoD Components to 
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(U) U.S. Cyber Command Comments 

(FQUO) The U.S. Cyber Command, Deputy Director, Current Operations, agreed, stating 
that the existing Defense Information Systems Agency Device Control Module guidance 

The Defense Information Systems Agency will work in coordination with 
U.S. Cyber Command to update the guidance and notify the community when released. 


(U) Our Response 

(U) Comments from the Deputy Director addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the forma! policies and procedures described in the management 
comments before this recommendation can be closed. 


(U) Defense Information Systems Agency Comments 
^UO] The Defense Information Systems Agency, Executive, Infrastructure 
Development, agreed, stating that the Defense Information Systems Agency 
Infrastructure Directorate will update the Device Control Module guidance toj^yy 

The Defense 

Systems Agency will work in coordination with U.S. Cyber Command to update the 
guidance and notify the community when released. 

(U) Our Response 

(U) Comments from the Executive addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 


(U) Recommendation A.4 

(FOUO) We recommend that the Commander, Air Force Space Command, submit 

to the Defense Information Systems Agency for 
in accordance with applicable DoD guidance, either 
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(FOUO) DoD Instruction 8510.01, “DoD Information Assurance Certification and 
Accreditation Process (DIACAP)," November 28,2007 or DoD Instruction 8510.01, 
“Risk Management Framework (RMF) for DoD Information Technology (IT)," 
March 12, 2014. 

(U) Management Comments Required 

[U] The Commander, Air Force Space Command did not provide comments to the draft 
report. Therefore, we request the Commander provide comments in response to the 
final report. 

(U) Recommendation A.5 

(U) We recommend the Air Force Chief, Information Dominance Chief 
Information Officer: 

a. (fOUO) Review the deficiencies identified, require a thorough 
review of the Air Force Secret Internet Protocol Router Network 
security safeguards performed at each command, and apply 
corrective actions as necessary. 


(U) Air Force Information Dominance Chief Information Officer Comments 
(U) The Air Force Information Dominance Chief Information Officer, Chief, 
Cybersecurity Division, neither agreed nor disagreed, stating that SAF/CIO A6 identified 



with the Secretary of the Air Force, Inspector General (SAF/IG) to develop an 

Air Force-wide mandatory inspection item for the second quarter FY 2016. Estimated 

completion of tasks is second quarter FY 2017. 
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(U) Our Response 

Comments from the Chief partially addressed the recommendation. We request 
that the Chief provide additional comments that address all report findings, not just 
Also, provide comments that describe the implementation plan in 
response to the final report. 

b. (rOUO) Develop a plan to create a list of mission critical systems, 
update the list periodically, and provide this information to the 
appropriate communications squadron and network personnel at 
each base. 

(U) Air Force Information Dominance Chief Information Officer Comments 

(U) The Air Force Information Dominance Chief Information Officer, Chief, 

Cybersecurity Division, neither agreed nor disagreed, stating that 

DoD Instruction 8510.01 states that the DoD Component CIO (SAF/CIO A6) must make 



(U) Our Response 

(FOUO) Comments from the Chief did not address the specifics of the recommendation. 
We agree that mission criticality 

However, if the system owner considers the system mission critical, it is 

The decision to classify a system as 

mission critical 



response to the final report. 
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(U) Recommendation A,6 

^ We recommend that the Commander, 24th Air Force, in coordination with the 
Commander, 


in accordance with DoD policy. 

(U) Management Comments Required 

(U) The Commander, 24th Air Force and Commander, 

Hm did not provide comments to the draft report. Therefore, we request the 
Commanders provide comments in response to the final report. 

(U) Recommendation AJ 

(U) We recommend that the Commander, 

in accordance with Chairman of the Joint Chiefs of Staff Instruction 
6510.01F, “Information Assurance (lA) and Support to Computer Network 
Defense (CND),” February 9,2011 and Technical Manual Methods and 
Procedures, TO 00-33B-5004, "Access Control for Information Systems," 
December 19,2012. 


(U) Commander, 

The Director of Operations, 
Air Force Reserve Command 


procedures to 


Comments 

, neither agreed nor disagreed, stating that 


In addition. 


developed 
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(U) Our Response 

(U) Comments from the Director addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 

(U) Recommendation A.8 

(U) We recommend that the Commander, 


a. Develop procedures to 


I -hul. ^ I Inc. {U) (7hF) 



HM (I) I U'’\ hi ^ I (h)(7)(L) 


b. fS) Develop procedures to 

their major commands and the Air Force Chief, Information 
Dominance Chief Information Officer. 


(U) Commander, 

^ The Commander, 


Comments 


, neither agreed nor disagreed. 


Md). I -KiDdliX.n. Kiusr i! I.ltif. (M I 
7)(|-) 



(U) Our Response 

Comments from the Commander did not address the specifics of the 
recommendations. The process described 


U 1 M (hi (.V) hi I S( ^ 1 ■iiic (b) (71(1*) 



Therefore, we request the Commander provide comments in 
response to the final report. 


Report No. DOl)I(;-2015-168 j 22 

















Finding A 



(FOUO] jj) accordance with 

Chairman of the Joint Chiefs of Staff Instruction 6510.01F, 
“Information Assurance (lA) and Support to Computer Network 
Defense (CND)," February 9 , 2011 and Technical Manual Methods 
and Procedures, TO 00-33B-5004, "Access Control for Information 
Systems," December 19, 2012. 

(V) Commander,Comments 

(U) The Commander,neither agreed nor disagreed, stating that processes are 
now place 

I_ 

It will be the member’s 

responsibility to contact their Information System Security Officer or CSA [Client 
System 

(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


(U) Recommendation A,9 

(U) We recommend that the Commander, 
a. (S) Develop procedures to] 



(U) Commander,^fjljlj[^^^ 


1 Comments 

^ The Commander,^^^^! 


agreed, stating that procedures are 

being developed (o||j|||||||||||| 

Il'I'SI ^ 1 KIl' ' 

(I'M’llD 
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(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


b. ^ Develop procedures to| 

their major commands and the Air Force Chief, Information 
Dominance Chief Information Officer. 



(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


c. 


(rOUO) accordance with 

Chairman of the joint Chiefs of Staff Instruction 6510.01F, 
"Information Assurance (lA) and Support to Computer Network 
Defense (CND)," February 9,2011, and Technical Manual Methods 
and Procedures, TO 00-33B-5004, "Access Control for Information 
Systems," December 19,2012. 


(U) Commander, 
^ The Commander, 
been implemented. 



Comments 

, agreed, stating that the process has 


(U) Our Response 

Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report. 
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(U) Recommendation A,10 

(U) We recommend the Commander, 


a. ^ Develop procedures to 


thMM. I 1UU3), jnUS( ^ {hM/lin 



d. (FOUO) Develop and implement 


according to the Chairman 
of the Joint Chiefs of Staff Instruction 6510.01F, "Information 
Assurance (lA) and Support to Computer Network Defense [CND)," 
February 9,2011, and Air Force Manual 33-282, "Computer 
Security," March 27,2012, and if||||||||||f^^^^^m cannot be 
developed, then coordinate with base communications squadrons 
and any other necessary parties to develop a 




(V) Management Comments Required 

(U) The Commander, did not provide comments to 

the draft report. Therefore, we request the Commander provide comments in response 
to the final report. 
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(U) Finding B 

(rouo) 


IdiK’l H'LISC? l3(lc.(bH7llF-l 



(U) National Security Telecommunications and Information Systems Security Instruction 7003, "Protected Distribution 
Systems," December 13,1996 and Air Force System Security Instruction 7703, "Communications Security; Protected 
Distribution Systems," August 26, 2008. 


SECRET 


Report No. [)ODIG-2015-lf)H | 26 






















(U) PDS is used to transmit unencrypted classified information through an area of lesser classification. 

(U) National Security Telecommunications and information Systems Security Instruction 7003, "Protected Distribution 
Systems/’ December 13,1996. 

{U) “'^Air Force System Security Instruction 7703, "Communications Security; Protected Distribution Systems," 

August 26, 2008. 
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(roUO) System Access Forms Were Not Appropriately 
Completed or Approved 


, did not verify completion of required SlPRNet access forms. The Air Force 
requires each user who requests SlPRNet access to complete: 


(U)*'Enterprise Network Data Repository 
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• dFQUO) DD Form 2875, "System Authorization Access Request (SAAR]" in 
accordance with Air Force Manual 33-152, "User Responsibilities and 
Guidance for Information Systems," June 1,2012. This form documents 
supervisor, security manager, and lAO approval for system access and need 
to know; 

• (FOUQ] DD Form 2842, "Department of Defense Public Key 
Infrastructure (PKI) Certificate of Acceptance and Acknowledgement 
of Responsibilities," August 2009. This form is used to acknowledge 
the users responsibility to safeguard the token and the registration 
official verifies the identity of the individual; 

• (FOUO) SF 312, "Nondisclosure Agreement" in accordance with 

Air Force Instruction 31-501, "Personnel Security Program Management," 
January 27,2005. Users complete this form to accept the obligation to 
protect classified information; and 

• ^ QUO] Air Force (AF) Form 4394, "Air Force User Agreement 
Statement-Notice and Consent Provision" in accordance with Air Force 
Manual 33-152, "User Responsibilities and Guidance for Information 
Systems," June 1,2012. This form identifies rules of system use and user 
consent to monitoring. 


The CSs did not verily completion of required forms to gain SlPRNet access. 

To determine if the forms required to gain access to SlPRNet were correctly completed, 
we performed control tests forthe DD Forms 2875, DD Forms 2842, SF 312, 
and AF Forms 4394 for 45 personnel and 

for 39 personnel We identified errors in the forms and, therefore, 

the control test failed. The Table below identifies the number of forms provided by 
the respective CS and outlines the results of our analysis. 
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(U) Table. Forms Required for SIPRNet Access 


.Ifiyuar 

DD Form 2875 

DD Form 2842 

SF312 

AF Form 4394 

, (i»(7)(ri 
i; 

1 

Received (out of 45) 

20 

34 

36 

15 

Completed Correctly 

11 

25 

36 

15 

Completed Incorrectly 

9 

9 

0 

0 

Forms Not Received 

25 

11 

9 

30 


(l»<7llt) 


Received {out of 45) 22 44 41 20 

Completed Correctly 16 44 41 20 

Completed Incorrectly 6 0 0 0 

Forms Not Received 23 1 4 25 


llDl/lll ) 


Received (out of 39} 36 28 37 38 

Completed Correctly 5 28 37 37 

Completed Incorrectly 31 0 0 1 

Forms Not Received 3 11 2 1 

(U) Note: See Appendix F for more detail. 


This occurred because the CSs did not establish policies and procedures to 
verify that all lAOs completed and approved forms required for network access before 
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(FOUQ) 

|. According to DoD^b 

and Air Force Guidance,-*^ all cleared military, civilian, and contractor personnel should 
receive a NATO security briefing and a written acknowledgement of the NATO training 
will be maintained. 


^ FQUO) This occurred because the^^^^l security personnel were not sure what "all 
cleared personnel" meant. Additionally, security personnel at^^^^^l thought a 
read receipt would satisfy the requirement for written acknowledgement. Finally, 
security personnel were not aware of the requirement to 

have all personnel take the NATO briefing. The requirement for NATO briefings is 

important due to the ongoing missions and operations 
of the Air Force. Since NATO briefings were not 
conducted, individuals were not aware of the 
appropriate method to secure and protect NATO 
information. The Administrative Assistant to the 

_Secretary of the Air Force, should develop an action 

plan to ensure Air Force commands conduct the NATO briefings for all personnel as 
required by DoD Manual 5200.01, volume 1, "DoD Information Security Program: 
Overview, Classification, and Declassification," February 24,2012, and develop a 
mechanism to identify and track personnel who receive the training. 


frv/uw) Since NATO 
briefings were not 
conducted, individuals 
were not aware of the 
appropriate method to 
secure and protect 
NATO information. 


(U}^®DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, Classification, and Declassification," 
February 24, 2012. 

(U) Air Force Instruction 31-401, "Information Security Program Management," Change 1, August 19, 2009 was in effect 
when we began the audit. However, during the audit it was superseded by Air Force Instruction 16-1404, "Air Force 
Information Security Program," May 29,2015. 
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(rouo) 




(U) Recommendations, Management Comments, and 
Our Response 

(U) Recommendation B.l 

(FOUO) The Administrative Assistant to the Secretary of the Air Force, should 
develop an action plan to ensure Air Force commands conduct the North Atlantic 
Treaty Organization briefings for all personnel as required by DoD Manual 
5200.01, volume 1, "DoD Information Security Program: Overview, Classification, 
and Declassification," February 24,2012, and develop a mechanism to identify 
and track personnel who receive the training. 

(U) Administrative Assistant to the Secretary of the Air Force Comments 
(U} We received the Administrative Assistant to the Secretary of the Air Force 
comments on the draft report too late to include them in the final report. Therefore, if 
the Administrative Assistant to the Secretary of the Air Force does not submit additional 
comments, we will consider those comments as the management response to the 
final report. 
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(U) Recommendation B.2 


^UO) We recommend that the Air Force Chief, Information Dominance Chief 



(U) Air Force Chief, Information Dominance Chief Information 
Officer Comments 

(FQUO] The Air Force Information Dominance Chief Information Officer, Chief, 
Cybersecurity Division, neither agreed nor disagreed, stating that there is a policy in 
place and units were notified on July 6,2010. The policy is the Methods and Procedures 
Technical Manual 00-33d-2001, "Active Directory Naming Conventions," May 8,2009. 
The Manual provides instructions for entry into Active Directory with standard naming 
convention to include physical location and designated system administrator. The 
SAF/CIO A6 recommends CS reference equipment location in Active Directory and 
ensure adherence to the Active Directory Naming Conventions. In addition, Air Force 
Manual 33-153, "Information Technology Management," provides guidance to manage 
Air Force equipment. 


(U) Our Response 

(FOUO) Comments from the Chief did not address the specifics of the recommendation. 
The Air Force Manual and Methods and Procedures Technical Manual described do not 



comments in response to the final report. 


(U) Recommendation B,3 

H^OUO) We recommend that the Commander,develop 
procedures to verify that access forms are accurately completed before access is 
granted to the Secret Internet Protocol Router Network. 
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(U) Commander, Comments 

[U) The Director of Operations,mum CS, neither agreed nor disagreed, stating that the 
mHH CS has implemented a process to ensure completion and standardization of the 
DD Form 2875. This process involves the participation of the requestor’s supervisor, 
unit security manager, and unit lAO. A form submitted will be reviewed for accuracy by 
the Information Assurance Manager, Local Registration Authority, and SIPRNet Client 
Service Technician. The DD Form 2875 will be returned to the unit lAO if received 
incomplete. The requestor will provide copies of their derivative training and Cyber 
Awareness training certificates. 

(U) Our Response 

(U) Comments from the Director addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 


(U) Recommendation BA 

(U) We recommend that the Commander, 




as by 

Air Force System Security Instruction 7703, "Communications 
Security: Protected Distribution Systems," August 26,2008. 


(U) Commander, Comments 

(U) The Commander,mm CS, neither agreed nor disagreed,] 


(Ii) iTHtl 
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(U) Our Response 

[U] Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report. 

d. (FOUO) Develop procedures to verily that access forms are 
accurately completed before access is granted to the Secret 
Internet Protocol Router Network. 

(U) Commander, Comments 

The Commander,|||§|H CS, neither agreed nor disagreed, stating that processes 
are currently in place to ensure that all documents are properly filled out before 
submitting a SlPRNet account request by the unit Information Systems Security Officer. 
This has been briefed to squadron, group, and wing commanders. 

(U) Our Response 

(U) Comments from the Commander did not address the specifics of the 
recommendation. The process described was not effective as discussed in the report. 

could not provide 75 access forms and users did not properly 
complete 18 access forms. Therefore, we request the Commander provide comments in 
response to the final report. 

(U) Recommendation B.5 

(rOUO) We recommend that the Commander,develop 
procedures to verily that access forms are accurately completed before access is 
granted to the Secret Internet Protocol Router Network. 

(U) Commander,Comments 

The Commander,Mission Support Group, agreed, stating thatffi^^H 
follows Air Force Network procedures for account creation and paperwork in 
accordance with Air Force Manual 33-282. The Unit CSL maintains and provides the CS 
a copy of the DD Form 2875 to review for proper signatures before accounts are 
created. The regulation requires the unit CSL to maintain the original paperwork. 
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(U) Our Response 

(U) Comments from the Commander did not address the specifics of the 
recommendation. The process described was not effective as discussed in the report. 

could not provide 53 access forms and users did not properly complete 
6 access forms. Therefore, we request the Commander provide comments in response 
to the final report. 
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(U) Appendix A 


(U) Scope and Methodology 

(U) We conducted this performance audit from October 2014 through July 2015 in 
accordance with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 

(UJ We performed the audit to determine whether the Air Force effectively protected 
SIPRNet access points. We focused our review on the Air Force SIPRNet managed by 
We nonstatistically selected a sample of three Air Force bases 

to determine whether Air Force commands 
properly implemented logical and physical controls to protect SIPRNet access points. 
The commands chosen represented SIPRNet use that varied among active military and 
reserves. We reviewed physical and logical security safeguards at each base and logical 
controls and|^^^|. In addition, we reviewed the certification and 

accreditation packages for each base. 

(U) During our review, we interviewed DoD and Air Force component personnel. We 
interviewed personnel at: 


(U) U.S. Cyber Command to discuss 


(U) SAF/CIO A6 to discuss SIPRNet 


to obtain, review, and analyze 


MO 11) In L SC’ ^ line, do l/Kt) 


, and required security training. In 


addition, we: 


o [U] obtained, reviewed, and analyzed local policies; 
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o (U) obtained, reviewed, and analyzed network access and write 
privilege processes; 

o [U] obtained, reviewed, and analyzed vulnerability management, 
user authentication, account monitoring, asset management, and 
personnel access policies and procedures; and 

o CU) observed physical security for SIPRNet access points. 

(U] In addition, we performed control tests for: 

• (U) write privileges; 

• (U) background checks; and 

• [U] DD Forms 2875, DD Forms 2842, SF 312, and AF Forms 4394. 


(U) We selected a randoms® sample of: 


(U) 45 accounts from a universe of^^H SIPRNet accounts atl 


• (U) 45 accounts from a universe SIPRNet accounts at 

• (U) 39 accounts from a universe of{^B SIPRNet accounts at 



; and 


(U) These decision rules applied for our control tests: if there were no errors in the 
sample, then the control passed, and if there were one or more errors, then the control 
failed. We used the control test table developed by Quantitative Methods Division at the 
DoD OIG and published in the Council of the Inspectors General on Integrity and 
Efficiency, "Journal of Public Inquiry," 2012-2013. 



(U) “We selected a nonstatistical sample of user accounts. We randomized the universe to reduce bias during the sample 
selection. 
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(U) To determine whether the DD Forms 2875 were appropriately completed and 
approved, we verified if the: 


• (U) user, information assurance officer, and security manager signed 
the form; 

• (U) lA training was completed within a year of the information assurance 
manger's signature; and 

• (U) boxes were checked to annotate the user had a need to know and access 
to classified information. 

(U) To determine whether DD Forms 2842 were appropriately completed and 
approved, we verified that the user and registration official signed and dated the form. 
Finally, to determine whether the AF Forms 4394 were appropriately completed, we 
verified that the user signed and dated the forms. 


(U) In addition, to determine whether^y^^^^^^^^^^^^^^^l, we 
requested a list of users^^^^^^^y during the 6>month period from August 2014 
January 2015 to 

compare to a list of current SlPRNet users. 


(U) Use of Computer-Processed Data 

We obtained and analyzed certification and accreditation packages from 
Enterprise Mission Assurance Support Service. We used the packages to determine 
whether the SlPRNet accreditation at the Air Force bases was appropriate. To assess 
the reliability of the Enterprise Mission Assurance Support Service accreditation data, 
we compared the data to controls in operation. In addition, we interviewed Air Force 
and Defense Information Systems Agency personnel on the data accuracy. 

as discussed in Finding A. 


(bid), iu use I bJe. (b)<7HE) 
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^FQUO] We obtained and analyzed Assured Compliance Assessment Solution 
vulnerability scans from 


We used the data to determine ifj 
. Assured Compliance Assessment Solution is a DoD tool managed 
by Defense Information Systems Agency, 

We interviewed the 
identified the 

scans. We determined that these documents were sufficiently reliable for the purpose 
of this report. 




(rOUO) We obtained and analyzed data from the Joint Personnel Adjudication System. 
The data was used to determine if personnel received background checks and signed 
nondisclosure agreements. Joint Personnel Adjudication System is the official 
repository of security information for DoD and the Defense Manpower Data Center 
manages the system. We interviewed security managers about the data stored in the 
Joint Personnel Adjudication System and observed them query the data. We 
determined that this data were sufficiently reliable for the purpose of this report. 
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(U) Use of Technical Assistance 

(U] We obtained support from the DoD OIG Quantitative Methods Division to develop a 
random sample for review. We obtained support from the DoD OIG Technical 
Assessment Directorate to define SIPRNet access points. 

(U) Prior Coverage 

fU] During the last 5 years, the Air Force Audit Agency issued one report discussing 
controlled access to universal serial bus ports and compact disk drives and mitigation of 
identified vulnerabilities. 

(U) Air Force Audit Agency 

F2015-0002-030000, "Classified Information Systems Protection - Secret Internet 
Protocol Router Network," February 10,2015. 
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(U) Appendix B 

(U) DoD Information Assurance Certification and 
Accreditation Process 

(U) The DIACAP establishes a process to certify and accredit DoD information systems 
based on the implementation of lA controls. DIACAP applies to all DoD-owned and 
controlled information systems and consists of five activities: 

(U) Activity 1: Initiate Certification and Accreditation. Register the system with the 
appropriate DoD Component, assign lA controls to the information system, and initiate 
the DIACAP Implementation Plan. Each assigned control is implemented according to 
the applicable implementation guidelines provided in the DIACAP. 

(U) Activity 2: Implement and Validate lA Controls. Executes the DIACAP 
Implementation Plan, conducts validation activities, prepares the IT Security POA&M, 
and compiles validation results in the DIACAP Scorecard. The status of each assigned 
lA control is indicated on the DIACAP Scorecard as compliant, noncompliant, or 
not applicable. 

(U) Activity 3: Make Certification Determination and Accreditation Decision. 
Determines whether to certify and accredit a DoD information system. Each 
information system has a certifying authority, who bases the certification decision on 
lA validation results, and a designated accrediting authority, who bases the 
accreditation decision on a balance of mission or business need and protection of the 
information being processed. 

(U] Activity 4: Maintain Authorization. Sustains acceptable lA posture. The lA controls 
should be reviewed annually to confirm the effectiveness of the assigned lA controls or 
to recommend changes to the accreditation status. A designated accrediting authority 
may downgrade or revoke an accreditation decision at any time if risk conditions or 
concerns develop from the reviews. The results of an annual review or a major change 
in information assurance posture at any time may indicate the need for recertification 
and reaccreditation. 

(U) Activity 5: Decommissioning. Removes DoD information system from operation. 
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(U) Appendix C 


(FOUO) 


lb)(7l(U) 






Table. 


Illi) ( I'M SC ^ I 'Oc (I>h7)(I ) 


{Z) Location 

November 

December 

January 

February | 

March 

ibHI). 1 -JIul 
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(U) Appendix D 

(U) Test Results for 


from August 2014 through 
, to a list of 


We compared lists of personnel 
January 2015 provided and 

SIPRNet users 

In addition, while performing other control tests, we identified user 


IlliH 'I 111 I S( I III,; (In 1 7|(| ] 


; therefore, we did not perform a 
control test for||||||||Hm||||j|^^^^^^^^| However, while performing other 
control tests, we identified 
The Table below identifies the sites tested and identifies the results of the analysis 
including the number o 


(U) Table. 


Discovered During Testing 


tiH i| I SI \ i". (hi p Kl I 


Sites Tested 





Not Provided 
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(U) Appendix E 


(U) Test Results for Protected Distribution Systems 

^FOUO) We requested certification letters and PDS technical inspections. 

We received and reviewed certification letters and^mf technical inspection 

documents. Our analysis identified; 

• (FOUO) 

• (rouo) 

(U) Our analysis of the^ym^ that had evidence of a technical inspection identified: 


ill ( i}. lu I St ^1 Hjc til t7)th) 


e peuo) 

[ ■ PQ4iJO] 
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(U) Appendix F 


(U) Control Test Results for Forms Required for 
System Access 


(U) 

(U) DD Form 2875 

A4-[ 


_|, we received and reviewed 20 of the 45 requested 

DD Forms 2875. Of the 20 forms reviewed, 9 were not completed correctly including 
some with multiple discrepancies. Specifically, 


• (FOUO) 2 were signed and approved after we requested them from 


|il<)i7irr) 


• (FOUO) 3 personnel did not meet the annual requirement for lA training 
before signing the form; 

1 was not signed and approved by the lAO; and 

5 did not have properly filled out access and need to know 
requirements; specifically, 2 of the 5 did not indicate the user had a 
"need to know" and 3 of the 5 did not indicate the user needed access to 
classified information. 


crouo} 


could not provide 25 of the 45 DD Forms 2875. 


(0) DD Form 2842 

(FOUO) We received and reviewed 34 of the 45 requested DD Forms 2842. Of the 
34 forms reviewed, 9 did not have the required user or lAO signatures, 
could not provide 11 of the 45 DD Forms 2842. 


(U)SFForm 312 

[FOUO) We received and reviewed 36 of the 45 requested SF Forms 312 and all were 
completed correctly. not provide 8 of the 

45 SF Forms 312 because Chief, Information Protection, stated 

that the eight individuals had They could not provide 1 of 

the 45 SF Forms 312. 
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(U) AF Form 4394 

(FOUO) We received and reviewed 15 of the 45 requested AF Forms 4394 and all 
were completed correctly. could not provide 30 of the 

45 AF Forms 4394. 

(U) DD Form 2875 

[FOUO) At^^^^l, we received and reviewed 22 of the 45 requested DD Forms 2875. 
Of the 22 forms reviewed, 6 were not completed correctly including some forms with 
multiple discrepancies. Specifically, 

• (FOUO) 2 were not signed by the information owner or lAO; 

• (FOUO) 2 were not signed by the security manager; and 

• (FOUO) 5 did not indicate that the user had a need to know. 

(FOUO) did not provide 23 of the 45 DD Forms 2875 for various reasons such 

as users had left the base, confusion in the process for granting access, or an error 
in processing. 

(U) DD Form 2842 

(FOUO) We received and reviewed 44 of the 45 requested DD Forms 2842 and all were 
completed correctly. did not provide 1 of the 45 DD Forms 2842 because the 

created an account for a user that never came to complete the DD Form 2842 
before leaving^^^^|. 

(U)SFForm 312 

(FOUO) We received and reviewed 41 of the 45 requested SF Forms 312 and all were 
completed correctly, vvas unable to provide SF 312s for 4 of the 45 users. 

(U)AFForm 4394 

(FOUO) We received and reviewed 20 of the 45 requested AF Forms 4394 and all were 
completed correctly. did not provide 25 of the 45 AF Forms 4394 for various 

reasons such as users had left the base, confusion in the process for granting access, or 
an error in processing. 
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[U] DD Form 2875 

(FOUQ) we received and reviewed 36 of the 39 requested 

DD Forms 2875, did not provide 3 of the 39 DD Forms 2875 because the 

Information Assurance Manager stated that until December 2014,| 
did not have an established Information Assurance Officer program to ensure 
completion of the DD Forms 2875. Of the 36 DD forms reviewed, 31 were not 
completed correctly including some forms with multiple discrepancies. 


1 did not have the Security Manager's approval of 
security clearance; 

* (rOUO) 2 did not have correct lA training documented; specifically, one 
person did not have lA training noted on the form and one person did not 
have lA training before signing the form and gaining access to the SIPRNet; 

• (FOUO) 30 were not signed and approved by the lAO; and 

12 did not have properly filled out access and need to know 
requirements. Specifically, of the 12: 

o 2 did not have "need to know" or access to classified 

information checked on the form, 

4 did not have "need to know" checked on the form, and 

o [FOUO] 6 did not have access to classified information checked on 
the form. 


(V) DD Form 2842 

^ ■ QUG] We received and reviewed 37 of the 39 requested DD Forms 2842 and all were 


completed correctly. 


did not provide 2 of the 39 DD Forms 2842 because 


Information Assurance Manager stated that they misplaced the forms. 


[D)SFForm 312 

(FOUO) We received and reviewed 37 of the 39 requested SF Forms 312 and all were 


completed correctly. 



_did not provide 2 of the 39 SF Forms 312 because the 

Chief, Information Protection, stated that the two individuals had 
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(U)AFForm 4394 

(rOUO) We received and reviewed 38 of the 39 requested AF Forms 4394 and one was 
not completed correctly. did not provide 1 of the 39 AF Forms 4394 

because the^^^^l Information Assurance Manager stated that until December 2014, 
did not have an established Information Assurance Officer program to 
ensure completion of the AF Forms 4394. 
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(U) Appendix G 

(U) Criteria 

[U) We used the following guidance throughout the audit. 

(U) National Security Telecommunications and Information 
Systems Security Committee 

(U) National Security Telecommunications and Information Systems Security 
Instruction 7003, "Protected Distribution Systems," December 13,1996, outlines 
the approval authority, standards, and guidance for PDS design, installation, 
and maintenance. 

(U) Chairman of the Joint Chiefs of Staff 

(U) Chairman of the Joint Chiefs of Staff Instruction 6510.01F, "Information 
Assurance (lA) and Support to Computer Network Defense (CND)," February 9,2011, 
provides joint policy and responsibilities for lA and support to computer 
network defense. 

(U) DoD 

(U) DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD 
Information Technology (IT)," March 12,2014, provides procedural guidance for the 
reciprocal acceptance of authorization decisions and artifacts within DoD, and between 
DoD and other Federal agencies, for the authorization and connection of 
information systems. 

(U) DoD Instruction 8510.01, "DoD Information Assurance Certification and 
Accreditation Process (DIACAP)," November 28,2007, establishes a certification and 
accreditation process to manage the Implementation of lA capabilities and services 
and provide visibility of accreditation decisions regarding the operation of 
DoD information systems. 

(U) DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, 
Classification, and Declassification," Februaiy 24,2012, implements policy, assign 
responsibilities, and provide procedures for the designation, marking, protection, and 
dissemination of controlled unclassified information and classified information. 
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(U] Office of the Secretary of Defense Memorandum "Insider Treat Mitigation," 

July 12, 2013, provides procedures for information protection and insider threat 
mitigation to all DoD Components. 

(U) U,S. Cyber Command 

^ 0UO) U.S. Cyber Command Task Order 14 0185, "Insider Threat Mitigation," 

July 17,2014, implements a number of technical and procedural safeguards to mitigate 
vulnerabilities exploitable by a determined insider threat. 

(U) Air Force 

(U) Air Force Instruction 16-1404, "Air Force Information Security Program,” 

May 29, 2015, supersedes Air Force Instruction 31-401 and explains how to manage 
and protect unclassified controlled information and classified information. 

(U] Air Force Instruction 31-401, "Information Security Program Management," 

Change 1, August 19,2009, explains how to manage and protect unclassified controlled 
information and classified information. 

(U) Air Force Instruction 31-501, "Personnel Security Program Management," dated 
January 27,2005, provides guidance for personnel security investigations and 
clearance needs. 

(U) Air Force Manual 33-152, "User Responsibilities and Guidance for Information 
Systems," dated June 1,2012, identifies policies and procedures for the use of 
cyberspace support systems and services and compliance requirements. 

(U] Air Force Manual 33-282, "Computer Security," March 27, 2012, implements 
computer security, which is designed to ensure the employment of countermeasures to 
protect and secure US government information processed by Air Force information 
systems by protecting the confidentiality, integrity, availability, authentication, and 
non-repudiation of information systems. 

(U) Air Force System Security Instruction 7703, "Communications Security: Protected 
Distribution Systems," August 26,2008, provides the minimum protection standards 
based on national guidance for PDS to ensure the PDS provides adequate electrical, 
electromagnetic, physical, and procedural safeguards. 
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(U) Defense Information Systems Agency 

(U) Defense Information Systems Agency "Enclave" Security Technical Implementation 
Guide, Version 4, Release 4, January 9 , 2014, provides assistance in meeting the 
minimum requirements, standards, controls, and options for securing an enclave as a 
whole and providing the technical guidance to secure specific enclave components 
in detail. 

(U) Defense Information Systems Agency, "Access Control in Support of Information 
Systems," Security Technical Implementation Guide, Version 2, Release 3, 

October 29, 2010, provides details for security framework for use when planning and 
selecting access control for protecting sensitive and classified information in DoD. 

It provides background and context for access control issues including the process of 
identification, authentication, and authorization for access to protected assets. 

(U) Defense Information Systems Agency, Program Executive Office - Mission 
Assurance, Host Based Security System, "Device Control Module Guidance for 
Task Order 14-0185," October 28,2014, provides directorate level instructions for 
restricting the use of removable media on systems across the DoD. 
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(U) Management Comments 

(U) U.S. Cyber Command 


UNCI ASSIi-lia)//f«W« 



DEPARTMENT OP DEFENSE 
UNITED STATES CYBER COMMAND 

9800 SAVAGE ROAD. SUITE 6477 
FORT GEORGE G. MEADE, MARYLAND 2075S 


Reply to: 

Deputy Director. Current Operations 


MliMORANDUM I'OR JOINT STA1-I-, J6 

Subject: DODIO Draft Report: Air Force Commands Need To Improve Logical And Pliysical 
Security Safeguards That Protect Sipmet Access Points. WMS 'task #19609. 

References: (a) (U) DODIG Draft Report: Air Force Commands Need To Improve Logical And 
Physical Security Safeguards That Protect SIPRNet Access Points. Tasker 15- 
02944 

(b) (U//P©y©i USCYBERCOM TASKORD 14-0185 Insider Threat Mitigations, 

17 July 2014. 


1. (U//TOUO) Tlie DODIG Recommendation A.I.: We recommend that the Under Secretary of 
Defense for Intelligence, the Commander, U.S. Cyber Command, and the DoD Chief 
Infomratiun OHlcer. issue clarifying guidance for the Office of the Secretary of Defense 
Memorandum “Insid er Threat Mitiga tion” to instruct Military Services and agencies on the 
proper procedures to I 


(U// POUO) AGREE. The existing Defense information Systems Agency Device Control 

Module (DCM) guidance TASKORD 14- 

DC^^uidanceU^^jelease^^^l 5) 

Tlu^umimorcnn^upponin^ociiinennion 
referenced in TASKORD 14-0185. Specifically, the 11 February 2014 White House 
memorandum, "Necir-7'em Measures to Reduce llie Risk of High Impacl Uiiaiilhorized 
Disclosures" (Reference K) and the 02 July 2014 Office of the Secretary of Defense 
memorandum, "Mlllgalioiisfor Insider Threat and High Impact Unauthorized Disclosures 
(Reference L) detail the operating enviromnent the tasks are to be implemented. 

2. (U/ tf QUQ ) The DODIG Recommendation A.3.: We recommend that the Commander, U.S. 
Cyber Command and Director, Defense Infonnation Systems Agency, coordinate to issue 
clarifying guidance for the T ask Order 14-0185. “Insider Threat Mitigation.” July 17.201 4. to 
instruct DoD Components to 


1 
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(U//PQW^ AGREE. The Defense Information Systems Agency will be undaling the P CM 
guidance 

will work in coordinalion with U. S. Cyber Command’s J38 to update the guidance and notify 
the conunuiiity once it is developed and released. 


DANELLE BARRETT 

Rear Admiral, USN 

Deputy Director, Current Operations 
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Defense Information Systems Agency 


Lv ’ M 


DEFENSE INFORMATION SYSTEMS AGENCY 


P O OOX 

FORT MEAOE, MO 2076S«5«9 


MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERAL 

SUBJECT: DoD Inspector General Draft Report Dated July 10,2015 (Project No. D20I5- 
DOOORC-0033.000) 

Reference: (U) DODIG DRAFT REPORT: AIR FORCE COMMANDS NEED TO IMPROVE 
LOGICAL AND PHYSICAL SECURITY SAFEGUARDS THAT PROTECT SIPRNET 
ACCESS POINTS 


The Defense Information Systems Agency (DISA) has reviewed the subject draft report 
and provides the following comment to the DODIG recommendation A.3. DISA has no other 
comments on the draft report. 

DODIG RECOMMENDATION A3: (U/BOUO): ‘We recommend that the Commander, 
U.S. Cyber Command and Director, Defense Information Systems Agency, coordinate to issue 
clarifying guidance for the T ask Order 14-0185. “Insider Threat Mitigation .” July 17.2014. t 
instruct DoD Components to 


I rmi SRTmeRTTTi 

)i7)(r) 


DISA RESPONSE: DISA agrees with this recommendation. The DISAJnftaslijj^uri 
i Module (DCM) guidance to include HHIWilHiMH 

__ DISA will work in coordination with the U.S. Cyber 

to update the pidance and notify the community once it is developed end 

released. 


10 


JOHN W. WILMER 
Infrastructure Development 
Executive 
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(U) Air Force Chief, Information Dominance Chief 
Information Officer 



CLASSIFICATION: UNCLASSIFIED 
DEPARTMENT OF THE AIR FORCE 

HEADQUARTERS UNITED STATES AIR FORCE 
WASHINGTON, OC 


MI-MORANDUMFOR nfiPARTMENTOF DHFHNSEINSPI-CTOROIiNKRAL 
PRINCIPAL ASSISTANT INSPF.CTOR GliNBRAL FOR 
AUDITING 


I ROM; SAF/C:iO A6S 

1800 Air Force Pcnlagoii, Rni ID857 
Wushiugloii, DC 20330-1800 

SUBJECT: Depailmcnt of Defense Inspector General (DoDIO) DiaO Rcpoil, Audit: "Security 
Controls Over Air Force’s Secret Internet Protocol Router Network Access Points" 

1. TItc following arc llic SAF/CIO A6SC coinnienls on lltc recommendations outlined in the 
DoDKi Drnn Report, Project No. 1)2015-D00ORC-(iO33.OOO. 

2. Comments: 


(U) Rcconimciidntlon A.S.h/A.IO.b: The Air Force Audit Agency's Report of Audit 
t'^O15-0002-03000. Classified Infomiution System Pmtcclioii-Sccrct Inteinet 
Piolocol Router Network. 3 Feb 15. klentillcdi 




Jdilioiiolly, SAF/CIO A6 is working with SAF/IG to 
ilcvciop a Spccnil liiicrcsl Item projected for FY 2016, Qtr 2, as an Air Force-wide 
mandatory inspuelioii item. BCD: FY 2017 Qlr 2 



CLASSIFICATION: UNCLASSIFIED 


sccncT 
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(U) Air Force Chief, Information Dominance Chief 
Information Officer (cont'd) 











Management Comments 


|(i')i7i(ri 


Communications Squadron 



UNCLASSIFIED 

DKI'AKI MKM ()l mi:AllU()K{ i: 

I. HIAl.UXl.t IIMMAM) 


MLMOUANDUM FOR OOD IG 


FROM: 


|ll>M7)(H 


2X July 2015 


SLIUJI:CT: InspeclorOeiieml Projccl No. n2()l5-D000RC-0033.O00 

1. I lie fiillnwini' 's ihe ^j^’omiitunk'iitiom Squiidrun iniliul rcspunse lo Ihc 

rccoinnicndalioas ratiiiriiig comment on the DOD IG (draft) project number 1)2015- 
l)»(IORCM)033.0H(l: 


2. (u) Itceommendalion 
(AI-ROnolicv, AFR( 


^ I in,-. (l-MVld 1 


iti lo IMIS policy I 


Ill l:SC i lUV (lOWliri 




3. (U) ReeommcnJiitlon 11.3: I bus pul into eft'cel a process In ensure the 

completion and sluiidurdixation Mtixe SII'RNel System Aulliorizalion Access Request 
(SAAR). 1)1) form 2875. This process involve.s tiic purtieipatiun of the requestor’.s 
supervisor, unit sceurily manager, and unit lAO. A tbrm .submitted will be reviewed for 
itceurucy by the lAM, 1,RA. or'SIPRNcl CST. I'he 1)1) form 2875 will be returned to the 
unit lAO if received iiieomplele. The rcque.slor will provide copies of their derivative 
training, and Cybcr-Awurvncss training cerlificales. Request this item be closed. 



|(i>) II.) 


UNCLASSIFIED 
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Communications Squadron 


CLA SSIFICATI ON: 




CLASSIFICATION: SECRET 

THIS PAGE IS UNCLASSIFIED WHEN 
ATTACHMENTS ARE REMOVED 


MI-MORANi)UM FOK DOI) 10 
FROM: 

SUBJI-;CT: (S) 

Atidil 



in;,SI*ONSI; TO 000 10 Draft Report. Air Force SIPRNei 


I. (U) We liavc reviewed llie OOD 10 Draft Report, 

liiive pix>vided mir comments/respoiiscs as requested 

I0.(utch2). 


Air I'ori 


fitii I /)ii ) 


K >|{XJ. 


|t Audit, (aleli I). and 

[ri:si'onsi-; to dod 



2 Aiiachmenis 

I. m DOI) 10 Draft Reporl. Air Force SM'RNet Audit 


(9) Air force 
SIPRNei Draft Report 


2. H^^^^^^HRI:.SI>ON.Sir|-ODOD iO 


THIS PAGE IS UNCLASSIFIED WHEN 
ATTACHMENTS ARE REMOVED 

CLASSIFICATION; OCOnET 

‘pounyt “poi 


se eRET 


Report No. DODIG-20 IS- ] GB | 60 










§g CRET 


Management Comments 


(U)|||H Communications Squadron (cont'd) 
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Management Comments 


Mission Support Group 




DKPARTMt.N 


WIMTHMS''’’''’'*-’ 

lil>l(7lll ) 


5 AUG '"IS 


MFMORANDL'M FOR DEPARTMENT OF DF.FFNSt. INSPHCIOR GENERAl 
PRiNCIPAI. ASSiSTANT INSI’FCrOR GENERAL FOR 
AUDtTINO 


SOBJFCT: Dt'parlment ofDcfenst: liixpcclur General Draft Repi>r1. Audii: "Swurily (’nnlr<tls 
Over Air Farce’s Setrel Inlemel Pnilocol Rouler NcNvork Access Points" 

1. Thunk you tor the opportunity to review and comment tin the Department of Det'ense Draft 
Report. Prtijeel No. D201 5-D006 kC-O 033.01H)), "Audit: Security C'oiitroU Over Air Force’s 
Secret Internet Protocol Router Network Access Points.” dated July 10, 2015. 

2. My specific coniments to the recommciida|jon.s arc allaclted for your considcrution to 
incor))orate in the final report. Overall. I concur with the draft Repon'.s tindini^s. 




Ailiichmenl: 

Ocpnrtmcnl of Defense Inspector General Draft Report, dated 10 July 20t5| 


S (.'ommciUs 
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Mission Support Group (cont'd) 


DEPART,MEN 1 OF DEFENSE OFFICE OF THE INSPECTOR GENERAL 
DRAJT REPORT - DATED .IlLY l«, 2015 
PROJECT NO. D2015-DOOORC-(lft.1J.OOO 
•Al'DIT: “SECURITY C ON I ROLS OVER AIR FORCE’S SECRET INTERNET 
PROTOCOL ROl'TER NETWORK ACCESS POINTS” 


^|CS COMMENTS 
TO! HE RECOMMENDATIONS 


LLLKfAlik] I UiOKWiFI 


(U) Wu rvcommcitd (hat Ihe C ommiii 
a. iJcvcliin nrnccdutcs li* 


_ 

I 4(y).<bM3). t3lh!, (h) I’llIH 



(IJ) WC 

mmUmmy^^^^^itramudariCL' with Chairman of ihc Joint 
Chiefs of SlutT Instruction 65in.0IF. “InformJlian Assurance (lA) and Support to Computer 
Network Dclense (CND).'* Felmiary 9, 2011, and Technical Manual Methods and Proc^ures. 
TOOO*3JB-50()4, "Access Control for Infonnalion Systems," 10 December 2012. 


RESPONSE; Concur. I'his pn>ccss hus been implemeniwl, Recommend item be 
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Mission Support Group (cont'd) 


(U1 RECOMMENDATION B.S: 

(rOUO) Wc recommend thal (he ('onim.indcr.||l|lljl^^^^^^^nc\ clop procedures to 
verify thal access forms are accurately coniplcteinieIorin!ccesn^ruiilcil to the Secret Internet 
Protocol Router Network. 


rtUJ pS RESPONSE: Concur. |||||||||||ilrciidy ftillow.s the AFNET process for account 
creation and paperwork following AFMAN .^.^-282. The Unit CSL maintains and provides C'S a 
copy of the DD 2875 System Authorization Access Request to review for proper signatures 
before accounts are created. The regulation requires the unit CSL maintain the originnl 
paperwork. Recommend item he closed. 
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(U) Acronyms and Abbreviations 


AFB Air Force Base 
ARB Air Reserve Base 
ATO Authorization to Operate 
CAT Category 

CIO Chief Information Officer 


|(I>)|7||L| 


cs 

DIACAP 

HBSS 

lA 

lAO 

IP 

IT 

NATO 
NOS 
PDS 
POA&M 
RSD 
SAF/CIO A6 
SIPRNet 


Communications Squadron 

DoD Information Assurance Certification and Accreditation Process 

Host Based Security System 

Information Assurance 

Information Assurance Officer 

Internet Protocol 

Information Technology 

North Atlantic Treaty Organization 

Network Operations Squadron 

Protected Distribution System 

Plan of Actions and Milestones 

Rogue System Detection 

Air Force Chief Information Officer 

Secret Internet Protocol Router Network 


^ - GRET 
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(U) Glossary 

(U) Active Directory. Provides a method to store data and provide the data to network 
users and administrators. 

(U) Allow-all. A configuration that allows all traffic to flow through without 
security evaluation. 

(U) Authorization to Operate (ATO). Authorization granted by a designated 
accrediting authority for a DoD information system to process, store, or transmit 
information; an ATO indicates a DoD information system has adequately implemented 
all assigned information assurance controls to the point where residual risk is 
acceptable to the designated accrediting authority. ATOs may be issued for up 
to 3 years. 

(U) Boundary Protection. Monitoring and controlling communications at the external 
boundary of an information system to prevent and detect malicious and other 
unauthorized communications, through the use of boundary protection devices. 

(U) Deny-by-default. A configuration in which network traffic, which is not expressly 
allowed, is denied. 

(U) Disable. To configure the enclave firewalls to be routers and allow-all network 
traffic. 

(UJ DoD Components. Combatant commands, Military Services, Federal agencies, 
and field activities. 

(U) Enclave. A collection of information systems connected by one or more internal 
networks under the control of a single authority and security policy. 

(U) Enclave Perimeter. Includes those points where remote users of an enclave gain 
access to resources and information within that enclave, or where members of the 
enclave, but not physically located within the enclave, gain access to resources or 
information within that enclave. 

fU] Firewalls. Hardware and software that limits access between networks or systems 
(or both] in accordance with a specific security policy. 
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(U) Gateways. Entry and exit points for data to and from the SIPRNet. 

(U) Host Based Security System (HBSS). An application that monitors, detects, 
and counters against known cyber threats. 

(U) Logical Safeguards. System-based mechanisms such as firewalls, permission 
settings, usernames and passwords, and SIPRNet tokens that are used to designate who 
or what has access to a specific system or function. 

(U) Interim Authorization to Operate. Temporary authorization granted by the 
designated accrediting authority to operate a DoD information system under the 
conditions or constraints enumerated in the accreditation decision. 

(U) Internet Protocol (IP) Address. Identifiers that are assigned to equipment 
connected to the network. 

(U) Network Defense Devices. Network defense devices include equipment used to 
monitor, detect, analyze, and respond and restore activities. 

(U) Physical Safeguards. Locks, guards, and security containers deter or delay an 
adversary's access to the network. 

(U) Plan of Action and Milestones (POA&M). A permanent record that identifies 
tasks to be accomplished to resolve vulnerabilities; required for any accreditation 
decision that requires corrective actions, it specifies resources required to accomplish 
the tasks enumerated in the plan and milestones for completing the tasks; also used to 
document designated accrediting authority accepted noncompliant information 
assurance controls and baseline information assurance controls that are not applicable. 
An IT Security POA&M may be.active or inactive throughout a system’s life cycle as 
weaknesses are newly identified or closed. 

(U) Port Security. To electronically lock network ports so that only approved devices 
can use the port. 

(U) Protected Distribution System (PDS). A system used to transmit encrypted 
classified National Security Information through an area of lesser classification 
or control. 
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(U) Removable Media. Items such as compact discs, digital video discs, secure digital 
cards, tape, flash memory data storage devices, diskettes, multi-media cards, and 
external hard drives. 

(U] Rouge System Device (RSD). Device that does not have Host Based Security 
System software installed. 

(U) Security Posture. The security status of an enterprise's networks, information, and 
systems based on information assurance resources and capabilities in place to manage 
the defense of the enterprise and to react as the situation changes. 

(U] Severity Category (CAT) I. Assigned to findings that allow primary security 
protections to be bypassed, allowing immediate access by unauthorized personnel or 
unauthorized assumptions of super-user privileges. An ATO will not be granted while 
CAT I weaknesses are present. 

(U) Subnetwork. An identifiably separate part of an organization's network. 

(U) Validation. Confirmation that requirements for a specific intended use or 
application have been fulfilled. 

(U) Write Function. The ability to download or transfer data from the SIPRNet to 
removable media. 
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Annex 

(U) Annex 

(U) Sources 

(FOUO] Source 1: DoD Instruction 0-3600.02, "Information Operations [10] Security 
Classification Guide/' November 28, 2005 [Document For Official Use Only} 

Source 2: CCRI Summary Report," [Document classified Secret] 

Declassify On: 20241114 

Date of Source: November 14,2014 

[rOUO] Source 3; Technical Vulnerability Report," [Document 

classified Secret] 

Declassify On: 20241114 

Date of Source: November 14,2014 

[rOUO] Source 4: CCRI Summary Report," [Document classified Secret] 

Declassify On: 20241209 
Date of Source: December 9,2014 

[ ' FWQ j Source 5: Technical Vulnerability Report," [Document 

classified Secret] 

Declassify On: 20241209 

Date of Source: December 9,2014 

[FOUO] Source 6: CCRI Summary Report," [Document classified Secret] 

Declassify On: 20250114 
Date of Source: January 14,2015 

[FOUO] Source 7: Technical Vulnerability Report," [Document 

classified Secret] 

Declassify On: 20250114 

Date of Source: January 14,2015 
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(rOUO) Source 8: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20250211 
Date of Source: February 11, 2015 

^ FOUO] Source 9: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250211 

Date of Source: February 11, 2015 

(FOUO) Source 10: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20250305 
Date of Source: March 5,2015 

(FOUO) Source 11; Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250305 

Date of Source: March 5,2015 

Source 12: 'm| CCRI Summary Report," (Document classified Secret) 

Declassify On: 20241201 

Date of Source: December 1,2014 

(POUO) Source 13: Technical Vulnerability Report," (Document classified Secret) 

Declassify On: 20241201 
Date of Source: December 1,2014 

(FOUO) Source 14: 'j||||| CCRI Summary Report," (Document classified Secret) 
Declassify On: 20241204 
Date of Source: December 4,2014 

(FOUO) Source 15: Technical Vulnerability Report," (Document classified Secret) 

Declassify On; 20241204 
Date of Source: December 4,2014 
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(FOUQ) Source 16: '{|||j|| CCRl Summary Report,” (Document classified Secret) 
Declassify On: 20250108 
Date of Source: Januaiy 8,2015 

(rOUO) Source 17; 'mm Technical Vulnerability Report," [Document classified Secret] 
Declassify On: 20250108 
Date of Source: January 8,2015 

[ FOUO] Source 18; 'mHI CCRl Summary Report," (Document classified Secret) 
Declassify On: 20250205 
Date of Source: February 5,2015 

Source 19: 'mHH Technical Vulnerability Report," (Document classified Secret) 

Declassify On: 20250205 

Date of Source: February 5,2015 

(FOUO) Source 20: 'fHHI CCRI Summary Report," (Document classified Secret) 
Declassify On: 20250305 
Date of Source: March 5, 2015 

(FQUe) Source 21: ‘j||||| Technical Vulnerability Report," (Document classified Secret] 
Declassify On: 20250305 
Date of Source: March 5,2015 

^ QDO) Source 22: '{||||j| CCRl Summary Report," (Document classified Secret) 
Declassify On: 20241117 
Date of Source: November 17,2014 

(FOUO) Source 23: 'mUH Technical Vulnerability Report," (Document 
classified Secret) 

Declassify On: 20241117 

Date of Source: November 17, 2014 
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(rOUO) Source 24: 'jUm CCRI Summary Report," [Document classified Secret} 
Declassify On: 20241203 
Date of Source: December 3, 2014 

[FOUQ] Source 25: Technical Vulnerability Report," [Document 

classified Secret} 

Declassify On: 20241203 

Date of Source: December 3,2014 

[FQUO} Source 26: 'Hmm CCRI Summary Report," [Document classified Secret} 
Declassify On: 20250108 
Date of Source: January 8,2015 

Source 27: Technical Vulnerability Report," [Document 

classified Secret} 

Declassify On: 20250108 

Date of Source: January 8,2015 

[FOUO} Source 28; CCRI Summary Report," [Document classified Secret} 

Declassify On: 20250205 
Date of Source: February 5,2015 

[FO ' UO} Source 29: Technical Vulnerability Report," [Document 

classified Secret} 

Declassify On: 20250205 

Date of Source: February 5,2015 

f FOiJO} Source 30: CCRI Summary Report," [Document classified Secret} 

Declassify On: 20250313 
Date of Source: March 13,2015 

[FOUQ} Source 31: Technical Vulnerability Report," [Document 

classified Secret} 

Declassify On: 20250313 

Date of Source: March 13,2015 
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Whistleblower Protection 

U.S. Department of Defense 

The Whistleblower Protection Enhancement Act of 2012 requires 
the Inspector Genera} to designate a Whistleblower Protection 
Ombudsman to educate agency employees about prohibitions 
on retaliation, and rights and remedies against retaliation for 
protected disclosures. The designated ombudsman is the DoD Hotline 
Director. For more information on your rights and remedies against 
retaliation, visit www.dodig.mil/programs/whistleblower. 


For more information about DoD IG 
reports or activities, please contact us: 

Congressional Liaison 
congressional(a)dodig.mil; 703.604.8324 

Media Contact 

public.affairs@dodig.mil; 703.604.8324 
Monthly Update 

dodigconnect-request@listserve.com 

Reports Mailing List 
dodig_report@llstserve.com 

Twitter 

twitter.com/DoDJG 

DoD Hotline 
dodig.mil/hotline 
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DEPARTMENT OF DEFENSE ;| INSPECTOR GENERAL 

4800 Mark Center Drive 
Alexandria, VA 22350-1500 
www.dodig.mil 

Defense Hotline 1.800.424.9098 
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